b"OFFICE OF THE\nSECRETARY\nInadequate Practice\nand Management Hinder\nIncident Detection\nand Response\nFINAL REPORT NO. OIG-14-017-A\nAPRIL 24, 2014\n\n\n\nU.S. Department of Commerce\nOffice of Inspector General\nOffice of Audit and Evaluation\n\n\n\n\nFOR PUBLIC RELEASE\n\x0c                                                          UNITED STATES DEPARTMENT OF COMMERCE\n                                                          Office of Inspector General\n                                                          Washington, D.C. 20230\n\n\n\n\nApril 24, 2014\n\nMEMORANDUM FOR: \t Simon Szykman\n                  Chief Information Officer\n\n\nFROM:                         Allen Crawley\n                                                     f l/J1J\n                                                   {,T~\n                                                                       ~~~~\n                              Assistant Inspector General for Systems Acquisition\n                                and IT Security\n\nSUBJECT:                      Inadequate Praaice and Management Hinder Incident Deteaion\n                                and Response-Final Report No. OIG-14-017-A\n\nAttached please find the final \treport of our audit of the Department's incident detection and\nresponse practices. In accordance with the Federal Information Security Management Act of\n2002, we reviewed incident detection and response practices at four bureaus: Bureau of\nEconomic Analysis (BEA), Bureau of Industry and Security (BIS), International Trade\nAdministration (ITA), and United States Patent and Trademark Office (USPTO). We also\nevaluated these capabilities at the Herbert C. Hoover Building Security Operations Center\n(SOC). Our objective was to determine whether key security measures are in place to\nadequately monitor networks, detect malicious activities, and handle cyber incidents.\n\nWe found that (I) bureaus' actions in response to suspicious network activities may not stop\ncyber attacks in a timely manner and (2) lack of collaboration prevents the bureaus from\nrealizing full benefits of incident detection and response capabilities provided by Managed\nTrusted Internet Protocol Services.\n\nWe have summarized your response in the report and included the formal response as\nappendix B. The final report will be posted on the OIG's website pursuant to section SL of the\nInspector General Act of 1978, as amended.\n\nIn accordance with Departmental Administrative Order 213-5, please submit to us within 60\ncalendar days of the date of this memorandum an action plan that responds to the\nrecommendations in this report\n\nWe appreciate the cooperation and courtesies extended to us by your staff and bureau staff\nduring our audit. If you have any questions or concerns about this report, please contact me at\n(202) 482-1855 or Dr. Ping Sun, Director for IT Security, at (202) 482- 6121.\n\x0cAttachment\n\ncc:   Kirit Amin, Deputy Chief Information Officer and Chief Technology Officer\n      Brian Callahan, Chief Information Officer, BEA\n      Eddie Donnell, Acting Chief Information Officer, BIS\n      Ken Berman, Acting Chief Information Officer, ITA\n      John B. Owens II, Chief Information Officer, USPTO\n      Rod Turk, Director, Office of Cyber Security\n      Susan Schultz Searcy, Audit Liaison, Office of the Chief Information Officer\n\x0c                                             Report In Brief                                         APRIL 24, 2014\n\n\n\nBackground                          OFFICE OF THE SECRETARY\nPervasive and sustained cyber       Inadequate Practice and Management Hinder Incident Detection\nattacks against the United          and Response\nStates could have a devastating\neffect on federal and nonfeder-     OIG-14-017-A\nal systems, disrupt the opera-\ntions of governments and busi-      WHAT WE FOUND\nnesses, and impact the lives of     As part of our FISMA audit work, we evaluated incident detection and response\nthe American people.                capabilities at four Department of Commerce bureaus: the Bureau of Economic\nThe Department of Com-              Analysis, Bureau of Industry and Security, International Trade Administration, and\nmerce is under threat because       United States Patent and Trademark Office. We also evaluated these capabilities at the\nof its reliance on Internet-        Herbert C. Hoover Building Security Operations Center (SOC) within the Office of the\nbased technologies, which in-       Secretary. We found that\nterconnect its IT systems and           1.   Bureaus\xe2\x80\x99 actions in response to suspicious network activities may not stop cyber\nfacilitate business with the                 attacks in a timely manner. All bureaus that we reviewed have established an\npublic. Having effective inci-               incident detection and response capability, although the degree of capabilities\ndent detection and response is               varies. To determine how the bureaus respond to real-time incidents, we\ncrucial to minimizing the im-                performed external testing against their Web sites from the Internet. Only one\npact of cyber attacks and                    bureau intervened to completely block our test. The rest either took no action\nmaintaining the Department\xe2\x80\x99s                 or did not take timely action in response to our test.\nbusiness operations.                    2. \t Lack of collaboration prevents the bureaus from realizing the full benefits of incident\n                                             detection and response capabilities provided by Managed Trusted Internet Protocol\n                                             Services (MTIPS). MTIPS offers Internet and bundled security services that\nWhy We Did This Review                       bureaus use to comply with the Office of Management and Budget's Trusted\n                                             Internet Connection initiative. We found that bureaus do not consider MTIPS\nThe Federal Information Se-                  security services effective in supporting incident detection and response. We\ncurity Management Act                        found that most communication between bureaus and the provider occurred\n(FISMA) of 2002 requires fed-                when they initiated MTIPS services\xe2\x80\x94and that little communication related to\neral agencies to establish inci-             security services has occurred since then. In addition, bureaus indicated that\ndent response capabilities.                  they were not receiving significant incident monitoring and detection services.\nPerforming incident response\neffectively is a complex un-        WHAT WE RECOMMEND\ndertaking that requires con-\ntinual monitoring for attacks;      We recommend that the Department\xe2\x80\x99s Chief Information Officer work with the\n                                    bureaus\xe2\x80\x99 management to ensure that\nestablishing clear procedures\nfor prioritizing handling of            1. \t Bureaus follow the National Institute of Standards and Technology\xe2\x80\x99s Computer\nincidents; collecting, analyzing,            Security Incident Handling Guide to take timely action in response to potential\nand reporting data; and com-                 cyber attacks.\nmunication within and outside           2. \t Bureaus without around-the-clock SOC coverage work with the MTIPS\nof the organization.                         provider to evaluate MTIPS services to fill gaps in SOC coverage after business\nOur objective in conducting                  hours.\nthis audit was to determine             3. \t Bureaus interact with the MTIPS provider to (a) explore opportunities that\nwhether key security                         leverage MTIPS services to reduce or eliminate security services currently\nmeasures are in place to ade-                handled by the bureau and (b) ensure that MTIPS security services are fully\nquately monitor networks,                    delivered and effectively utilized.\ndetect malicious activities,\nand handle cyber incidents.             4. \t Determine the feasibility and cost effectiveness of independently assessing\n                                             incident management capabilities at all bureaus\xe2\x80\x99 SOCs.\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                                                                 OFFICE OF INSPECTOR GENERAL\n\n\nContents \n\nIntroduction .......................................................................................................................................................1\n\xc2\xa0\nObjective, Findings, and Recommendations ...............................................................................................2\n\xc2\xa0\n   I.\t\xc2\xa0     Bureaus\xe2\x80\x99 Actions in Response to Suspicious Network Activities May Not Stop \n\n            Cyber Attacks in a Timely Manner .................................................................................................2\n\xc2\xa0\n   II.\t\xc2\xa0    Lack of Collaboration Prevents the Bureaus From Realizing Full Benefits of \n\n            Incident Detection and Response Capabilities Provided by Managed Trusted \n\n            Internet Protocol Services ................................................................................................................4\n\xc2\xa0\n   Other Matter.................................................................................................................................................6\n\xc2\xa0\n   Recommendations........................................................................................................................................6\n\xc2\xa0\nSummary of Agency Response and OIG Comments................................................................................8\n\xc2\xa0\nAppendix A: Objective, Scope, and Methodology.....................................................................................9\n\xc2\xa0\nAppendix B: Agency Response ................................................................................................................... 11\n\xc2\xa0\n\n\n\n\nFINAL REPORT NO. OIG-14-017-A\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                            OFFICE OF INSPECTOR GENERAL\n\n\nIntroduction \n\nPervasive and sustained cyber attacks against the United States could have a devastating effect\non federal and nonfederal systems, disrupt the operations of governments and businesses, and\nimpact the lives of the American people. The Department is under constant threat because of\nits reliance on Internet-based technologies, which interconnect its IT systems and facilitate\nbusiness with the public. Thus, having effective incident detection and response is crucial to\nminimize the impact of cyber attacks and maintain the Department\xe2\x80\x99s business operations.\n\nOur June 2013 Economic Development Administration (EDA) audit1 found that EDA\xe2\x80\x99s critical\nincident response decisions were based on inaccurate information and that deficiencies in the\nDepartment\xe2\x80\x99s incident response program impeded EDA\xe2\x80\x99s response, which resulted in a\nprolonged disruption of EDA\xe2\x80\x99s normal business operations and the unnecessary spending of\nmore than $2.7 million for its recovery activities. This review highlighted challenges that the\nDepartment faces when responding to a cyber incident.\n\nThe Federal Information Security Management Act (FISMA)2 requires federal agencies to\nestablish incident response capabilities. Performing incident response effectively is a complex\nundertaking that requires continual monitoring for attacks; establishing clear procedures for\nprioritizing handling of incidents; collecting, analyzing, and reporting data; and communication\nwithin and outside of the organization.\n\n\n\xc2\xa0\n\n\n\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n1\n  U.S. Department of Commerce Office of Inspector General, June 26, 2013. Malware Infections on EDA's Systems\nWere Overstated and the Disruption of IT Operations Was Unwarranted, OIG-13-027-A. Washington, DC: DOC OIG.\n2\n  The Federal Information Security Management Act of 2002 (FISMA), 44 U.S.C \xc2\xa7 3541 (2002), et seq., requires\nagencies to secure systems through the use of cost-effective management, operational, and technical controls. The\nstatute\xe2\x80\x99s goal is to provide adequate security commensurate with the risk and extent of harm resulting from the\nloss, misuse, or unauthorized access to or modification of information collected or maintained by or on behalf of\nan agency. In addition, FISMA requires inspectors general to evaluate agencies\xe2\x80\x99 information security programs and\npractices by assessing a representative subset of agency systems, and results are reported to the Office of\nManagement and Budget, the Department of Homeland Security, and Congress annually.\n\n\nFINAL REPORT NO. OIG-14-017-A                                                                                       1\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                              OFFICE OF INSPECTOR GENERAL\n\n\nObjective, Findings, and Recommendations \n\nAs part of our FISMA audit work, we evaluated incident detection and response capabilities at\nfour bureaus: Bureau of Economic Analysis (BEA), Bureau of Industry and Security (BIS),\nInternational Trade Administration (ITA), and United States Patent and Trademark Office\n(USPTO). We also evaluated these capabilities at the Herbert C. Hoover Building (HCHB)\nSecurity Operations Center (SOC). HCHB SOC, which is part of the Department\xe2\x80\x99s Office of\nthe Chief Information Officer (OCIO) within the Office of the Secretary (OS), coordinates with\nthe Department\xe2\x80\x99s Computer Security Incident Response Team (DOC CIRT) to provide\nincident detection and response services to seven bureaus with headquarters located at HCHB.\nOur objective was to determine whether key security measures are in place to adequately\nmonitor networks, detect malicious activities, and handle cyber incidents. See appendix A for\ndetails regarding our objective, scope, and methodology.\n\nWe found that (1) bureaus\xe2\x80\x99 actions in response to suspicious network activities may not stop\ncyber attacks in a timely manner and (2) lack of collaboration prevents the bureaus from\nrealizing full benefits of incident detection and response capabilities provided by Managed\nTrusted Internet Protocol Services.\n\n    I.\t       Bureaus\xe2\x80\x99 Actions in Response to Suspicious Network Activities May Not\n              Stop Cyber Attacks in a Timely Manner\n\nIncident detection is the process of monitoring network activities and analyzing them for signs\nof possible security violations or imminent cyber attacks. Various network activities, such as\nexecuting malware or gaining unauthorized access to systems from the Internet, can trigger a\npotential cyber security incident. To effectively respond to a potential incident, responders\nmust quickly analyze and validate each incident by following an established process. Based on\nNational Institute of Standards and Technology (NIST) guidance,3 responders should:\n\n       1.\t Rapidly perform an initial analysis to determine the incident\xe2\x80\x99s scope, such as which\n           networks, systems, or applications are affected; who or what originated the incident;\n           and how the incident is occurring.\n\n       2.\t Based on that analysis, prioritize subsequent activities, such as containment of the\n           incident and deeper analysis of the effects of the incident (e.g., incident responders may\n           decide to prevent a cyber attack by blocking all network traffic originating from the\n           attacker\xe2\x80\x99s computer).\n\n       3.\t Document each step taken in the course of incident handling.\n\nAll bureaus we reviewed have established incident detection and response capabilities, although\nthe extent of these capabilities varies. For example, one bureau provides around-the-clock\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n3\n  U.S. Department of Commerce, National Institute of Standards and Technology, August 2012. Computer Security\nIncident Handling Guide: Recommendations of the National Institute of Standards and Technology, SP 800-61, Rev. 2.\nGaithersburg, MD: NIST.\n\n\nFINAL REPORT NO. OIG-14-017-A                                                                                        2\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                     OFFICE OF INSPECTOR GENERAL\n\nmonitoring coverage at an operations center, whereas another provides monitoring at a center\nby having only two incident detection analysts working regular business hours. To see how the\nbureaus responded to real-time incidents, we used an automated web application security\nassessment tool to test their public-facing Web sites by accessing them from the Internet.\nTesting the Web sites simulated a cyber event consisting of prolonged suspicious network\ntraffic that mimics real-world hacking techniques and cyber attacks. We analyzed information\nsuch as intrusion detection system (IDS) logs and alerts generated during the test, and\nevaluated actions taken by the bureaus in response to our testing.\n\nAlthough all five bureaus\xe2\x80\x99 automated tools detected and logged our testing activities, we found\nthat (1) one bureau performed analysis of our simulated cyber event and intervened to\ncompletely block our testing; (2) one bureau did not analyze our simulated cyber event in a\ntimely manner; and (3) three bureaus did not perform any analysis and did not take any action\nto respond to our testing.\n\nBelow is a summary of bureaus\xe2\x80\x99 actions in response to our testing:4\n\n       \xef\x82\xb7\t Bureau 1 conducted timely analysis of the cyber attack generated by our testing and,\n          before our testing was complete, contacted its service provider and requested that all\n          traffic originating from our test computer be blocked.\n\n       \xef\x82\xb7\t Bureau 2 did not perform timely analysis of the cyber attack generated by our testing:\n          analysis was performed 4 days after our testing was completed. The only incident\n          responder assigned to analyze alert data generated by one of bureau 2\xe2\x80\x99s incident\n          detection tools was not available as a result of funding limitations. Bureau 2 concluded\n          that the systems we tested were patched and protected by its automated security tools\n          and, therefore, took no further actions. According to bureau 2, since our test, it has\n          made incident alert data available to multiple responders.\n\n       \xef\x82\xb7\t Bureau 3 did not take any action to respond to the cyber attack generated by our\n          testing. Although bureau 3\xe2\x80\x99s process specifically requires the blocking of network traffic\n          similar to that generated by our testing, according to bureau 3 officials, it only had an\n          informal discussion about this cyber event. Bureau 3 is currently working on improving\n          its incident handling process.\n\n       \xef\x82\xb7\t Bureau 4 did not take any action to respond to the cyber attack generated by our\n          testing. Bureau 4 only has two analysts; according to its manager, at the time of our test,\n          both of them were unavailable to respond to our simulated cyber attack. We found\n          that, in addition to incident detection, these two analysts have other job responsibilities,\n          such as data loss prevention, antivirus/malware management, and vulnerability\n          assessment. Currently, bureau 4 is considering hiring an additional analyst.\n\n       \xef\x82\xb7\t Bureau 5\xe2\x80\x99s incident responders did not intervene to completely block our testing\n          activities. Nevertheless, one day after our testing, bureau 5 did categorize the computer\n          used to conduct our testing among its \xe2\x80\x9ctop 20 attackers prevented\xe2\x80\x9d in its daily\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n4\n    For security reasons, we do not identify bureaus in our summary.\n\n\nFINAL REPORT NO. OIG-14-017-A                                                                          3\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                           OFFICE OF INSPECTOR GENERAL\n\n              management briefing report. This report was based on the fact that some, but not all, of\n              our testing traffic was blocked by bureau 5\xe2\x80\x99s automated security tool. This report could\n              give bureau 5 management the impression that a cyber attack originating from that\n              computer was prevented, even though it actually was not. Bureau 5 officials\n              acknowledged that the incident responder did not follow the proper process to respond\n              to our testing, and this individual is no longer with bureau 5. According to bureau 5, it\n              has recently made improvements to its incident handling process, including\n              reorganization of its incident responder teams.\n\nWhile testing Web sites, we identified critical- and high-risk vulnerabilities that can be exploited\nto compromise bureaus\xe2\x80\x99 systems as well as users\xe2\x80\x99 computers. We issued vulnerability scanning\nreport memorandums to two affected bureaus. In response, the bureaus took action to\nremediate identified vulnerabilities. Delays in detecting and responding to suspicious network\ntraffic could allow an adversary enough time to look for vulnerabilities, use identified\nvulnerabilities to compromise systems and networks, and potentially exfiltrate sensitive\ninformation. Therefore, early detection and response to potential cyber security incidents is a\ncrucial step in stopping cyber attacks in a timely manner and thus better protecting information\nsystems and assets.\n\n    II.\t      Lack of Collaboration Prevents the Bureaus From Realizing Full Benefits of\n              Incident Detection and Response Capabilities Provided by Managed Trusted\n              Internet Protocol Services\n\nThe Office of Management and Budget (OMB)\xe2\x80\x99s Trusted Internet Connection (TIC) initiative5\nmandates that federal agencies optimize and standardize the security of their individual external\nnetwork connections, including connections to the Internet. TIC\xe2\x80\x99s goal is to improve the\nfederal government\xe2\x80\x99s security posture and incident response capability through the reduction\nand consolidation of external connections and provide enhanced monitoring and situational\nawareness of the connections. Federal agencies can comply with this mandate by acquiring\nManaged Trusted Internet Protocol Services (MTIPS) through the General Services\nAdministration\xe2\x80\x99s Networx contract.6\n\nMTIPS offers Internet service and a bundle of security services\xe2\x80\x94these include providing\naround-the-clock centralized monitoring and control of the network perimeter (network\ngateway), scanning all network traffic entering or leaving internal networks, detecting and\npreventing malicious activities, generating alerts and records of suspicious events, and managing\nfirewalls. If effectively utilized as intended, these security services should provide the first line of\ndefense to federal agencies\xe2\x80\x99 interconnected networks, as well as enhance agencies\xe2\x80\x99 existing\nincident detection and response capabilities.\n\n\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n5\n  Office of Management and Budget, November 20, 2007. Implementation of Trusted Internet Connections (TIC),\nMemorandum M-08-05. Washington, DC: OMB. Also see OMB, August 28, 2008. Transition from FTS2001 to\nNetworx, Memorandum M-08-26. Washington, DC: OMB.\n6\n  OMB, August 28, 2008. Transition from FTS2001 to Networx, Memorandum M-08-26. Washington, DC: OMB.\n\n\nFINAL REPORT NO. OIG-14-017-A                                                                                 4\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                                     OFFICE OF INSPECTOR GENERAL\n\nCurrently, BEA, ITA, OS,7 and USPTO acquire TIC services from the same MTIPS provider; BIS\nwill acquire services from that provider by mid-2014. Because MTIPS provides security services\nin addition to Internet service, bureaus are paying substantially more for MTIPS than they\npreviously paid for Internet service (see table 1 below). While the bureaus fully rely on Internet\nservice provided by MTIPS, we found that they do not consider MTIPS security services\neffective in supporting incident detection and response.\n\n          Table 1. Pre-MTIPS Internet Service and MTIPS Monthly Costs, by Bureau\n\n                                                                                      Current MTIPS\n                                                               Pre-MTIPS monthly\n                                                                                      monthly cost for\n                       Bureau                                   cost for Internet\n                                                                                    Internet service and\n                                                                   service only\n                                                                                      security services\n\n                       USPTO                                        $28,027              $288,000a\n\n                       BEA                                           $8,238                $14,853\n\n                       ITA                                           $9,974                $29,239\n\n                       OS                                           $11,000                $25,217\n\n                    Source: BEA, ITA, OS, and USPTO\n                    a\n                      The MTIPS provider cost is significantly higher because USPTO increased the capacity requirements\n                    of the network connection. USPTO stated that the cost of the same level of connectivity increased\n                    about 240 percent after switching to MTIPS.\xc2\xa0\n\nThe bureaus and the MTIPS provider share responsibilities for ensuring that MTIPS security\nservices are appropriately provided and effectively used. Thus, communication and coordination\nbetween the provider and bureaus are crucial to utilizing MTIPS security services to the fullest\nextent. We found that most communication between the bureaus and the provider occurred\nwhen the bureaus initiated MTIPS services\xe2\x80\x94and that little communication related to security\nservices has occurred since then.\n\nIn addition, these bureaus indicated that they were not receiving significant incident monitoring\nand detection services. Some indicated they were receiving no security related notifications or\nadvisories from the MTIPS provider, whereas others indicated receiving only limited\nnotifications or advisories. For example: we learned from a discussion with the MTIPS provider\nthat, during a 3-month period (June\xe2\x80\x93August 2013), the provider investigated 54 security issues,\nincluding 2 potential attacks, associated with the bureaus\xe2\x80\x99 systems. However, when we followed\nup with the bureaus, they were completely unaware of these issues. Furthermore, one bureau\nhas not received any incident reports since October 2012, and other bureaus expressed\nconcern that the MTIPS portal used to communicate with the MTIPS SOC is not effective.\n\nEach of the four bureaus we reviewed has its own set of tools that provide security services\nsimilar to those provided by MTIPS. However, the bureaus have not determined which of the\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\n7\n Office of the Chief Information Officer within OS, provides MTIPS service access to the following bureaus: EDA,\nEconomic Statistics Administration, Minority Business Development Administration, National Telecommunications\nand Information Administration, OIG, and OS.\n\n\nFINAL REPORT NO. OIG-14-017-A                                                                                             5\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                 OFFICE OF INSPECTOR GENERAL\n\nMTIPS services that they are paying for could be used instead of, or as a supplement to, their\nown services, which could allow for more effective use of MTIPS. For example: ITA, which uses\nsimilar security tools as the MTIPS provider, chose not to rely on MTIPS security services. BEA\nand USPTO asserted that the security tools they use are better than those used by the MTIPS\nprovider and thus minimally rely on MTIPS security services. OS realized that it is not fully\nutilizing MTIPS security services and, at the time of this audit, has initiated an assessment\ninvolving interaction with the MTIPS provider to leverage MTIPS services to reduce or\neliminate security services currently handled in-house. ITA, BEA, and USPTO have not done\nsimilar assessments. These assessments could lead to potential cost savings.\n\nIn addition, we found that the SOCs for three bureaus we reviewed do not provide around-\nthe-clock staffing coverage. These bureaus could possibly use MTIPS services to fill gaps in\nmonitoring coverage of external Internet facing connections when their own SOCs are not\nstaffed.\n\nOther Matter\n\nThe Department has a long-term initiative\xe2\x80\x94the Enterprise Security Oversight Center\xe2\x80\x94to\nenhance Department-wide security situational awareness, by providing near-real-time\ncybersecurity status information and timely decision making for both the Department and its\nbureaus. In support of this initiative, OCIO arranged to have the Department of Homeland\nSecurity (DHS) conduct an independent assessment focusing on incident management\ncapabilities within the Department beginning in June 2013. This assessment originally intended\nto include both SOCs at NOAA and HCHB. However, OCIO SOC management later decided\nto exclude HCHB SOC from the assessment. As a result, the Department missed an\nopportunity for the independent assessor\xe2\x80\x99s in-depth review to identify weaknesses in the\nHCHB SOC.\n\nRecommendations\n\n    We recommend that the Department\xe2\x80\x99s Chief Information Officer work with the bureaus\xe2\x80\x99\n    management to ensure that:\n\n        1.\t Bureaus follow NIST\xe2\x80\x99s Computer Security Incident Handling Guide to take timely action\n            in response to potential cyber attacks.\n\n        2.\t Bureaus without around-the-clock SOC coverage work with the MTIPS provider to\n            evaluate MTIPS services to fill gaps in SOC coverage after business hours.\n\n\xc2\xa0\n\n\n\n\nFINAL REPORT NO. OIG-14-017-A                                                                    6\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                 OFFICE OF INSPECTOR GENERAL\n\n        3.\t Bureaus interact with the MTIPS provider to (a) explore opportunities that leverage\n            MTIPS services to reduce or eliminate security services currently handled by the\n            bureau and (b) ensure that MTIPS security services are fully delivered and effectively\n            utilized.\n\n        4.\t Determine the feasibility and cost effectiveness of independently assessing incident\n            management capabilities at all bureaus\xe2\x80\x99 SOCs.\n\n\n\xc2\xa0\n\n\n\n\nFINAL REPORT NO. OIG-14-017-A                                                                      7\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                             OFFICE OF INSPECTOR GENERAL\n\n\nSummary of Agency Response and OIG\nComments\nIn response to our draft report, the Department concurred with the overall findings and\nrecommendations. In addition, the Department noted OIG\xe2\x80\x99s concern regarding\ncommunications between four of the bureaus, as outlined in the draft report and the MTIPS\nprovider. The Department plans to meet with the provider to discuss security services\nrendered to all of its operating units.\n\nThe Department\xe2\x80\x99s response is provided in appendix B.\n\n\xc2\xa0\n\n\n\n\nFINAL REPORT NO. OIG-14-017-A                                                               8\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                   OFFICE OF INSPECTOR GENERAL\n\n\nAppendix A: Objective, Scope, and\nMethodology\nOur objective was to determine whether key security measures are in place to adequately\nmonitor networks, detect malicious activities, and handle cyber incidents. We reviewed the\noverall Department incident management process, including monitoring, detection and\nresponse.\n\nIn March 2013, we conducted a survey of all the Department\xe2\x80\x99s bureaus to gather background\ninformation about their incident handling capabilities. Based on this survey, we selected USPTO,\nITA, HCHB SOC, BEA, and BIS for in-depth review. To avoid duplicative work, we did not\ninclude Census because it had been previously assessed by GAO in 2012\xe2\x80\x932013. Also, we did\nnot include NOAA because of a separate ongoing OIG review of its IT security program.\n\nWe reviewed internal controls significant within the context of our audit objective and\nemployed a comprehensive methodology to validate the bureaus\xe2\x80\x99 incident detection and\nresponse practices. Specifically, we\n\n    \xef\x82\xb7\t       Reviewed applicable laws, regulations, and NIST guidance.\n\n    \xef\x82\xb7\t       Examined bureaus\xe2\x80\x99 incident detection and response policies and procedures, as well\n             as reviewed MTIPS contract and supporting documentation.\n\n    \xef\x82\xb7\t       Interviewed Department OCIO senior executives and managers responsible for\n             incident management.\n\n    \xef\x82\xb7\t       Interviewed bureaus\xe2\x80\x99 IT security officers and incident responders, as well as MTIPS\n             provider officials and DHS United States Computer Emergency Readiness Team\n             personnel.\n\n    \xef\x82\xb7\t       Validated bureaus\xe2\x80\x99 analytical process for incident handling by observing their security\n             analysts\xe2\x80\x99 day-to-day actions to detect, respond to, recover from, and document\n             incidents.\n\n    \xef\x82\xb7\t       Validated bureaus\xe2\x80\x99 responses to a cyber incident by using an automated software\n             tool to generate prolonged suspicious network traffic directed at bureaus\xe2\x80\x99 public-\n             facing Web sites in order to simulate cyber attacks and thus trigger actions from\n             selected bureaus\xe2\x80\x99 incident responders.\n\nWe conducted our fieldwork from February 2013 to October 2013 at the Department\xe2\x80\x99s offices\nin the Washington, DC, metropolitan area. We performed this audit under the authority of the\nInspector General Act of 1978, as amended, and Department Organization Order 10-13, dated\nApril 26, 2013, and in accordance with generally accepted government auditing standards.\nThose standards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our audit\n\n\nFINAL REPORT NO. OIG-14-017-A                                                                      9\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                                                OFFICE OF INSPECTOR GENERAL\n\nobjectives. We believe that the evidence obtained provides a reasonable basis for our findings\nand conclusions.\n\n\n\n\nFINAL REPORT NO. OIG-14-017-A                                                                    10\n\x0c\xc2\xa0 DEPARTMENT OF COMMERCE\nU.S.                                             OFFICE OF INSPECTOR GENERAL\n\n\nAppendix B: Agency Response \n\n\n\n\n\n                                011200000162 \n\n\n\n\nFINAL REPORT NO. OIG-14-017-A                                            11\n\x0c"